[cabf_netsec] [EXTERNAL]Re: Offline Roots

Ben Wilson ben.wilson at digicert.com
Fri Jul 7 08:56:16 MST 2017

When WordPress renders the alphabetical list, it converts those alphabetical letters to numbers.  I'm fixing it by removing the coded numbering and replacing it with the  actual letters.

-----Original Message-----
From: Netsec [mailto:netsec-bounces at cabforum.org] On Behalf Of Tom Ritter via Netsec
Sent: Friday, July 7, 2017 7:48 AM
To: Dimitris Zacharopoulos <jimmy at it.auth.gr>; CA/Browser Forum Network Security WG List <netsec at cabforum.org>
Subject: Re: [cabf_netsec] [EXTERNAL]Re: Offline Roots

On 7 July 2017 at 04:26, Dimitris Zacharopoulos via Netsec <netsec at cabforum.org> wrote:
> On 6/7/2017 7:36 μμ, Peter Bowen via Netsec wrote:
> So, to better understand the suggestion, for 2(m) we would need either 
> "multi-factor authentication by a single person" OR "single-factor 
> authentication by multiple persons". Is that right?

Or multi-factor by multiple persons? I don't know pedantic auditors can be :)

Question: What doc are you all working off? (I pull up https://cabforum.org/network-security/ which numbers things numerically, not with letters.)

I am also skeptical of issuing a blanket "Does not apply to roots".

1d - I don't understand why this is a problem, since an offline root is stored in (as you said) "a high security zone". This ought to fit the definition of "Secure Zone" no?

1g, 1h - I agree these could be reworked to accommodate offline devices. Could change to "Configure **network-connected** Issuing Systems..."?

2m - Agree I would prefer to keep this requirement even for non-network connected devices, but we should have it to multi-factor and/or multi-party.

2o - I agree this shouldn't apply, and have no concerns about adding a clarifying "network-connected"

Netsec mailing list
Netsec at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4974 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/netsec/attachments/20170707/c1419c2a/attachment.p7s>

More information about the Netsec mailing list